Panorama read only with read only context switching via SAML?

drewdown — Tue, 11 Mar 2025 18:56:02 GMT

Can someone please tell me if this is possible? This is on 11.1.6. This worked fine in 9.1 on our previous panorama but not working in 11.1.6 on our newer one.

What I need is to be able to allow users to login via SAML and get RO access to panorama and allow them to context switch to the firewalls and get read only there as well. I have SAML auth profile and local admin profile (device-ro-role on each local firewall) to allow device context switching already but unable to make it work. In the past we created the admin profiles and assigned that role to them. But in 11.1.6 I cannot select the admin profiles, they simply don't show up in the drop down menu after selecting the saml auth profile > admin type custom panorama admin and then profile.

Part of this is my mistake, I had to change the admin profile to panorama which allowed me to select it. But when I do that and add the device admin role (which is configured on all the firewalls) and then login using my SAML account I get admin access and when I try to context switch it tells me 'Device Admin Role for this role based admin has not been defined.' So this is broken as its not giving me read only access and its not allowing me to context switch.

PAN admin role:

Local device role (pushed via global template):

Re: Panorama read only with read only context switching via SAML?

ozheng — Wed, 02 Apr 2025 04:15:47 GMT

Hello @drewdown

It is documented in the KB https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004LlvCAE&lang=en_US%E2%80%A9

Olivier

topic Re: Panorama read only with read only context switching via SAML? in Panorama Discussions

Panorama read only with read only context switching via SAML?

Re: Panorama read only with read only context switching via SAML?